SOAP Components

The following services are needed for the SOAP security part: The following services are needed for the SOAP security part:

  • Security Token Service
  • Charon Authorisation Service
  • Policy Enforcement Point Service
  • SOAP Security Proxy

To install and configure the HTTP secuirty components, you have to follow these steps:

  1. Install the Charon Authorisation Service.
  2. Install the Security Token Service.
  3. Install the Policy Enforcement Point Service.
  4. Install the SOAP Security Proxy.

Security Token Service

The Security Token Service (STS) is responsible for the authentication of users and is documented and specified in the OASIS WS-Trust specification. The authentication assertion produced by the STS is formulated in the Security Assertion Markup Language. A client trying to access a service secured by the IDMS has to embed this assertion in every service request.

The STS implementation used by the IDMS is the HMA Authentication Service. Please refer to the documentation included in the \docs folder of the HMA Authentication Service package how to compile the service. This document will only deal on how to install the service. To deploy the service successfully, you first have to install and configure an LDAP service. Then proceed with the following steps:

  • Put the authentication_v2.1.aar folder in the ${AXIS2_HOME}/WEB-INF/services/ folder. The authentication_v2.1.aar folder contains all configuration files for the STS.
  • The main configuration of the service takes place in the authentication-service.properties.
  • Using the saml-ldap-attributes-mapping.properties, you can map your LDAP attributes to SAML attributes if necessary.
  • You may configure the logging behaviour in the Log4J configuration file in authentication-service-log4j.properties.

Following properties can be set in the authentication-service.properties configuration file:

LDAPURL
URL to the LDAP service.
LDAPSearchContext
Search context for users.
LDAPPrincipal
The “user name” used by the STS to access the LDAP service.
LDAPCredentials
The password used in combination with LDAPPrincipal
KEYSTORE_LOCATION
Path to the Keystore file containing the certificate used for signing the SAML tokens.
KEYSTORE_PASSWORD
The keystore password.
AUTHENTICATION_CERTIFICATE_ALIAS
Alias of the keystore entry wich is used for signing the SAML tokens.
AUTHENTICATION_CERTIFICATE_PASSWORD
Password corresponding to the AUTHENTICATION_CERTIFICATE_ALIAS
CLIENT_CERTIFICATE_ALIASES
Comma serperated list with keystore aliases of trusted clients.
SAML_TOKEN_EXPIRY_PERIOD
Defines how long a SAML token is valid.
SAML_ASSERTION_ISSUER
SAML Token issure.
SAML_ASSERTION_ID_PREFIX
SAML Token prefix.
SAML_ASSERTION_NODE_NAMESPACE
Namespace for attribute assertions.
ENCRYTION_ENABLE
Enables or disables encryption of SAML tokens.
INCLUDE_CERTIFICATE
Enables or disables inclusion of SAML tokens.
LOG4J_CONFIG_LOCATION
Path to the Log4J configuration file.

Policy Enforcement Point Service

Before installing the Policy Enforcement Point Service, refer to the General Configuration for CHARON services.

The Policy Enforcement Point enforces the authorisation decisions made by the Authorisation Service.

The next step is deploying the PEP Service, therefore extract the ZIP archive into the directory of your ${AXIS2_HOME}.

Now you have to configure the service. The configuration files are in the ${AXIS2_HOME}/WEB-INF/classes folder. Open the PEPConfiguration.xml to configure the service. The configuration file already contains documentation of the single elements.

SOAP Security Proxy

Before installing the SOAP Security Proxy, refer to the General Configuration for CHARON services. If you want to secure a Web Coverage Service, you can use the provided WCS Security Proxy. In this case, jump to Installing the Proxy.

Generating the Proxy

The SOAP Proxy is used as a proxy for a secured service. This means a user client does not communicate directly with a secured service, instead it sends all requests to the proxy service.

First, you have to generate the proxy service. In order to do this, open a shell and navigate to the ${ProxyCodeGen_HOME}/bin directory. Run the script to generate the proxy service:

  • Linux, Unices:

    ./ProxyGen.sh -wsdl path/to/wsdl

  • Windows:

    .\ProxyGen.bat -wsdl path\to\wsdl

The parameter -wsdl points to a file with the WSDL of the secured service.

After a successful service generation, the folder ${ProxyCodeGen_HOME}/tmp/ dist contains the new proxy service.

Installing the Proxy

Take the service zip and deploy it by unpacking its content to the ${AXIS2_HOME} folder. For MTOM support, please make sure that the parameter enableMTOM in the file ${AXIS2_HOME}/axis2.xml is enabled.

Edit the ProxyConfiguration_${SERVICE_NAME}.xml to configure the service. The configuration file already contains documentation of the single elements.